Cybercriminals have been compromising websites to display a fake security certificate error message in hopes of tricking visitors into downloading the Mokes backdoor or the Buerak downloader.
Researchers from Kaspersky who discovered the scam said in a blog post that the ruse is a new twist on the old technique of hacking a website so that visitors are asked to download a fake, malicious "security update" for a browser or software program such as Adobe Flash Player.
The fake notification is delivered via a malicious iframe, whose contents are loaded from the third-party resource ldfidfa[.]pw. The iframe matches the size of the victimized webpage and perfectly overlaps the original content. The URL bar still displays the correct address, so visitors are less likely to become suspicious.
"Security Certificate is out of date," the fake message states in the form of an on-page banner. "Detected a potential security risk and has not extended the transition to ldfidfa[.]pw. Installing a security certificate may allow this connection to succeed." At various times during the campaign, clicking on the corresponding button has resulted in the download of either Bureau or Makes.
Kaspersky found the scam dates back to at least Jan. 16, and has affected a variety of websites belonging to everything "from a zoo to a store selling auto parts."
"As incidents involving certificate issuance and deployment become more well-known and mainstream, attackers have one more avenue to use in creating attacks that leverage social engineering efforts," said Pratik Savla, senior security engineer at Venafi. "Unfortunately, and also unsurprisingly, we are bound to see an uptick of this kind of campaign. In addition, attackers have also become much bolder with the use of malicious iframes. In the past, it was common for a threat actor to inject their iframes towards the bottom of a webpage. But now one can encounter it anywhere on the webpage."